// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package keyset_test

import (
	"bytes"
	"encoding/base64"
	"fmt"
	"strings"
	"testing"

	"google.golang.org/protobuf/proto"
	"github.com/google/tink/go/keyset"
	"github.com/google/tink/go/testkeyset"
	"github.com/google/tink/go/testutil"

	commonpb "github.com/google/tink/go/proto/common_go_proto"
	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
)

func TestJSONIOUnencrypted(t *testing.T) {
	buf := new(bytes.Buffer)
	w := keyset.NewJSONWriter(buf)
	r := keyset.NewJSONReader(buf)

	manager := testutil.NewHMACKeysetManager()
	h, err := manager.Handle()
	if h == nil || err != nil {
		t.Fatalf("cannot get keyset handle: %v", err)
	}

	ks1 := testkeyset.KeysetMaterial(h)
	if err := w.Write(ks1); err != nil {
		t.Fatalf("cannot write keyset: %v", err)
	}

	ks2, err := r.Read()
	if err != nil {
		t.Fatalf("cannot read keyset: %v", err)
	}

	if !proto.Equal(ks1, ks2) {
		t.Errorf("written keyset (%s) doesn't match read keyset (%s)", ks1, ks2)
	}
}

func TestJSONReader(t *testing.T) {
	gcmkey := []byte(testutil.NewAESGCMKey(0, 16).String())
	eaxkey := []byte(testutil.NewHMACKey(commonpb.HashType_SHA512, 32).String())
	jsonKeyset := fmt.Sprintf(`{
         "primaryKeyId":42,
         "key":[
            {
               "keyData":{
                  "typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey",
                  "keyMaterialType":"SYMMETRIC",
                  "value": %q
               },
               "outputPrefixType":"TINK",
               "keyId":42,
               "status":"ENABLED"
            },
            {
               "keyData":{
                  "typeUrl":"type.googleapis.com/google.crypto.tink.AesEaxKey",
                  "keyMaterialType":"SYMMETRIC",
                  "value": %q
               },
               "outputPrefixType":"RAW",
               "keyId":711,
               "status":"ENABLED"
            }
         ]
      }`, base64.StdEncoding.EncodeToString([]byte(gcmkey)), base64.StdEncoding.EncodeToString([]byte(eaxkey)))
	r := keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset))

	got, err := r.Read()
	if err != nil {
		t.Fatalf("cannot read keyset: %v", err)
	}

	want := &tinkpb.Keyset{
		PrimaryKeyId: 42,
		Key: []*tinkpb.Keyset_Key{
			{
				KeyData: &tinkpb.KeyData{
					TypeUrl:         "type.googleapis.com/google.crypto.tink.AesGcmKey",
					KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
					Value:           gcmkey,
				},
				OutputPrefixType: tinkpb.OutputPrefixType_TINK,
				KeyId:            42,
				Status:           tinkpb.KeyStatusType_ENABLED,
			},
			{
				KeyData: &tinkpb.KeyData{
					TypeUrl:         "type.googleapis.com/google.crypto.tink.AesEaxKey",
					KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
					Value:           eaxkey,
				},
				OutputPrefixType: tinkpb.OutputPrefixType_RAW,
				KeyId:            711,
				Status:           tinkpb.KeyStatusType_ENABLED,
			},
		},
	}

	if !proto.Equal(got, want) {
		t.Errorf("written keyset %q doesn't match expected keyset %q", got, want)
	}
}

func TestJSONReaderLargeIds(t *testing.T) {
	gcmkey := []byte(testutil.NewAESGCMKey(0, 16).String())
	jsonKeyset := fmt.Sprintf(`{
         "primaryKeyId":4294967275,
         "key":[
            {
               "keyData":{
                  "typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey",
                  "keyMaterialType":"SYMMETRIC",
                  "value": %q
               },
               "outputPrefixType":"TINK",
               "keyId":4294967275,
               "status":"ENABLED"
            }
         ]
      }`, base64.StdEncoding.EncodeToString([]byte(gcmkey)))
	r := keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset))

	got, err := r.Read()
	if err != nil {
		t.Fatalf("cannot read keyset: %v", err)
	}

	want := &tinkpb.Keyset{
		PrimaryKeyId: 4294967275,
		Key: []*tinkpb.Keyset_Key{
			{
				KeyData: &tinkpb.KeyData{
					TypeUrl:         "type.googleapis.com/google.crypto.tink.AesGcmKey",
					KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
					Value:           gcmkey,
				},
				OutputPrefixType: tinkpb.OutputPrefixType_TINK,
				KeyId:            4294967275,
				Status:           tinkpb.KeyStatusType_ENABLED,
			},
		},
	}

	if !proto.Equal(got, want) {
		t.Errorf("written keyset %q doesn't match expected keyset %q", got, want)
	}
}

func TestJSONReaderRejectsNegativeKeyIds(t *testing.T) {
	gcmkey := []byte(testutil.NewAESGCMKey(0, 16).String())
	jsonKeyset := fmt.Sprintf(`{
         "primaryKeyId": -10,
         "key":[
            {
               "keyData":{
                  "typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey",
                  "keyMaterialType":"SYMMETRIC",
                  "value": %q
               },
               "outputPrefixType":"TINK",
               "keyId": -10,
               "status":"ENABLED"
            }
         ]
      }`, base64.StdEncoding.EncodeToString(gcmkey))
	r := keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset))

	_, err := r.Read()
	if err == nil {
		t.Fatalf("Expected failure due to negative key id")
	}
}

func TestJSONReaderRejectsKeyIdLargerThanUint32(t *testing.T) {
	// 4294967296 = 2^32, which is too large for uint32.
	gcmkey := []byte(testutil.NewAESGCMKey(0, 16).String())
	jsonKeyset := fmt.Sprintf(`{
         "primaryKeyId": 4294967296,
         "key":[
            {
               "keyData":{
                  "typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey",
                  "keyMaterialType":"SYMMETRIC",
                  "value": %q
               },
               "outputPrefixType":"TINK",
               "keyId": 4294967296,
               "status":"ENABLED"
            }
         ]
      }`, base64.StdEncoding.EncodeToString(gcmkey))
	r := keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset))

	_, err := r.Read()
	if err == nil {
		t.Fatalf("Expected failure due to negative key id")
	}
}

// Tests that large IDs (>2^31) are written correctly.
func TestJSONWriterLargeId(t *testing.T) {
	eaxkey := []byte(testutil.NewHMACKey(commonpb.HashType_SHA512, 32).String())

	ks := tinkpb.Keyset{
		PrimaryKeyId: 4294967275,
		Key: []*tinkpb.Keyset_Key{
			{
				KeyData: &tinkpb.KeyData{
					TypeUrl:         "type.googleapis.com/google.crypto.tink.AesEaxKey",
					KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
					Value:           eaxkey,
				},
				OutputPrefixType: tinkpb.OutputPrefixType_RAW,
				KeyId:            4294967275,
				Status:           tinkpb.KeyStatusType_ENABLED,
			},
		},
	}

	buf := new(bytes.Buffer)
	w := keyset.NewJSONWriter(buf)
	if err := w.Write(&ks); err != nil {
		t.Fatalf("cannot write keyset: %v", err)
	}

	if !strings.Contains(buf.String(), `"keyId":4294967275`) {
		t.Errorf("written keyset %q does not contain a key with keyId 4294967275", buf.Bytes())
	}
	if !strings.Contains(buf.String(), "\"primaryKeyId\":4294967275") {
		t.Errorf("written keyset %q does not contain have primaryKeyId 4294967275", buf.Bytes())
	}
}

func TestJSONIOEncrypted(t *testing.T) {
	buf := new(bytes.Buffer)
	w := keyset.NewJSONWriter(buf)
	r := keyset.NewJSONReader(buf)

	kse1 := &tinkpb.EncryptedKeyset{EncryptedKeyset: []byte(strings.Repeat("A", 32))}

	if err := w.WriteEncrypted(kse1); err != nil {
		t.Fatalf("cannot write encrypted keyset: %v", err)
	}

	kse2, err := r.ReadEncrypted()
	if err != nil {
		t.Fatalf("cannot read encryped keyset: %v", err)
	}

	if !proto.Equal(kse1, kse2) {
		t.Errorf("written encryped keyset %q doesn't match read encryped keyset %q", kse1, kse2)
	}
}
